On Tue, Aug 03, 2021 at 01:23:32PM -0400, John Levine wrote: > >https://nakedsecurity.sophos.com/2021/06/11/alpaca-the-wacky-tls-security-vulnerability-with-a-funky-name/ > > Just wondering, did you add the anti-http stuff because of ALPACA or was it > already there?
Postfix is written *defensively*, so it terminates connections from browsers sending SMTP commands and payload as a single HTTP request, by detecting HTTP verbs and request headers. These are defenses to protect SMTP servers from abused HTTP clients, that fortuitously also work to protct HTTP clients from abusable SMTP servers (that share certificates with HTTP servers, ...). The defenses have been in place for quite some time. Likewise, Postfix had detection of NUL bytes in certificate names, long before Moxie exploited some CA to obtain a cert for "*\0.some.dom.ain", and requires at least two labels after the "*" (no "*" or "*.tld" certs were accepted). Now that (a decade plus later) functionally equivalent checks have also been in OpenSSL (1.0.2 and later) for some time, Postfix 3.6 (for now the most recent stable release) finally delegates certificate name checks to OpenSSL (and requres OpenSSL >= 1.1.1). So while we don't always anticipate all future security issues, we have a reasonable track record of being ready when they happen. -- Viktor.